---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
  name: cilium
rules:
- apiGroups:
  - networking.k8s.io
  resources:
  - networkpolicies
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - discovery.k8s.io
  resources:
  - endpointslices
  verbs:
  - get
  - list
  - watch
- apiGroups:
  - ""
  resources:
  - namespaces
  - services
  - pods
  - endpoints
  - nodes
  verbs:
  - get
  - list
  - watch
{% if cilium_version | regex_replace('v') is version('1.12', '<') %}
- apiGroups:
  - ""
  resources:
  - pods
  - pods/finalizers
  verbs:
  - get
  - list
  - watch
  - update
  - delete
- apiGroups:
  - ""
  resources:
  - pods
  - nodes
  verbs:
  - get
  - list
  - watch
  - update
{% endif %}
- apiGroups:
  - ""
  resources:
  - nodes
  - nodes/status
  verbs:
  - patch
- apiGroups:
  - apiextensions.k8s.io
  resources:
  - customresourcedefinitions
  verbs:
  # Deprecated for removal in v1.10
  - create
  - list
  - watch
  - update

  # This is used when validating policies in preflight. This will need to stay
  # until we figure out how to avoid "get" inside the preflight, and then
  # should be removed ideally.
  - get
- apiGroups:
  - cilium.io
  resources:
  - ciliumnetworkpolicies
  - ciliumnetworkpolicies/status
  - ciliumclusterwidenetworkpolicies
  - ciliumclusterwidenetworkpolicies/status
  - ciliumendpoints
  - ciliumendpoints/status
  - ciliumnodes
  - ciliumnodes/status
  - ciliumidentities
  - ciliumlocalredirectpolicies
  - ciliumlocalredirectpolicies/status
  - ciliumegressnatpolicies
{% if cilium_version | regex_replace('v') is version('1.11', '>=') %}
  - ciliumendpointslices
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
  - ciliumbgploadbalancerippools
  - ciliumbgppeeringpolicies
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.11.5', '<') %}
  - ciliumnetworkpolicies/finalizers
  - ciliumclusterwidenetworkpolicies/finalizers
  - ciliumendpoints/finalizers
  - ciliumnodes/finalizers
  - ciliumidentities/finalizers
  - ciliumlocalredirectpolicies/finalizers
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
  - ciliuml2announcementpolicies/status
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.15', '>=') %}
  - ciliumbgpnodeconfigs
  - ciliumbgpnodeconfigs/status
  - ciliumbgpadvertisements
  - ciliumbgppeerconfigs
{% endif %}
  verbs:
  - '*'
{% if cilium_version | regex_replace('v') is version('1.12', '>=') %}
- apiGroups:
  - cilium.io
  resources:
  - ciliumclusterwideenvoyconfigs
  - ciliumenvoyconfigs
  - ciliumegressgatewaypolicies
  verbs:
  - list
  - watch
{% endif %}
{% if cilium_version | regex_replace('v') is version('1.14', '>=') %}
- apiGroups:
  - cilium.io
  resources:
  - ciliumcidrgroups
  - ciliuml2announcementpolicies
  - ciliumpodippools
  - ciliuml2announcementpolicies/status
  verbs:
  - list
  - watch
{% if cilium_version %}
- apiGroups:
  - coordination.k8s.io
  resources:
  - leases
  verbs:
  - create
  - get
  - update
  - list
  - delete
{% endif %}
{% endif %}
